Saturday, November 15, 2014

First Victims of the Stuxnet Worm Revealed, Kaspersky Lab Reports

Woburn, MA – November 11, 2014 – Kaspersky Lab today announced that after analyzing more than 2,000 Stuxnet files collected over a two-year period, it can identify the first victims of the Stuxnet worm. After Stuxnet was discovered over four years ago as one of the most sophisticated and dangerous malicious programs, Kaspersky Lab researchers can now provide insight into the question: what were the goals of the Stuxnet operation?
Initially security researchers had no doubt that the whole attack had a targeted nature. The code of the Stuxnet worm looked professional and exclusive; there was evidence that extremely expensive zero-day vulnerabilities were used. However, it wasn’t yet known what kind of organizations were attacked first and how the malware ultimately made it right through to the uranium enrichment centrifuges in the particular top secret facilities.
Kaspersky Lab analysis sheds light on these questions. All five of the organizations that were initially attacked are working in the ICS area in Iran, developing ICS or supplying materials and parts. One of the more intriguing organizations was the one attacked fifth, since among other products for industrial automation, it produces uranium enrichment centrifuges. This is precisely the kind of equipment that is believed to be the main target of Stuxnet.
Apparently, the attackers expected that these organizations would exchange data with their clients – such as uranium enrichment facilities – and this would make it possible to get the malware inside these target facilities. The outcome suggests that the plan was indeed successful.  
“Analyzing the professional activities of the first organizations to fall victim to Stuxnet gives us a better understanding of how the whole operation was planned. At the end of the day this is an example of a supply-chain attack vector, where the malware is delivered to the target organization indirectly via networks of partners that the target organization may work with,” said Alexander Gostev, chief security expert, Kaspersky Lab.
Kaspersky Lab experts made another interesting discovery: the Stuxnet worm did not only spread via infected USB memory sticks plugged into PCs. That was the initial theory, and it explained how the malware could sneak into a place with no direct Internet connection. However, data gathered while analyzing the very first attack showed that the first worm’s sample (Stuxnet.a) was compiled just hours before it appeared on a PC in the first attacked organization. This tight timetable makes it hard to imagine that an attacker compiled the sample, put it on a USB memory stick and delivered it to the target organization in just a few hours. It is reasonable to assume that in this particular case the people behind Stuxnet used other techniques instead of a USB infection.  

The latest technical information about some previously unknown aspects of the Stuxnet attack can be read on Securelist and journalist Kim Zetter’s new book, “Countdown to Zero Day.” The book includes previously undisclosed information about Stuxnet; some of this information is based on the interviews with members of the Kaspersky Lab Global Research and Analysis Team.
ICS   industrial control systems 
September 28, 2010

Is stuxnet the new Ultra?

By  Mladen Andrijasevic

Few people realize the importance of Marian Rejewski, Jerzy Rozycki and Henryk Zygalski. These three Polish mathematicians and cryptologists solved the Enigma machine in 1932, the main cipher used by the Germans, and in 1939 transferred their knowledge to the British who under the leadership of Alan Turing at Bletchley Park continued to penetrate most of the German communication during WWII.

The history of WWII would have been quite different if it had not been for Ultra as the intelligence obtained through  breaking Enigma was called.  The anti submarine warfare in the Battle of the Atlantic was won almost entirely thanks to Ultra.  Many of the major battles of the Second World War, The Battle of Britain, El Alamein, Stalingrad, Kursk, D-Day were won at least partly because Ultra had broken the German code.

But all this was unknown until 30 years after the end of the Second Word War.   

So what is one to make of the articles like this one in Computerworld Is Stuxnet the 'best' malware ever?

The Stuxnet worm is a "groundbreaking" piece of malware so devious in its use of unpatched vulnerabilities, so sophisticated in its multipronged approach, that the security researchers who tore it apart believe it may be the work of state-backed professionals.
"It's amazing, really, the resources that went into this worm," said Liam O Murchu, manager of operations with Symantec's security response team.
"I'd call it groundbreaking," said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab. In comparison, other notable attacks, like the one dubbed Aurora that hacked Google's network and those of dozens of other major companies, were child's play.
The malware, which weighed in a nearly half a megabyte -- an astounding size, said Schouwenberg -- was written in multiple languages, including C, C++ and other object-oriented languages, O Murchu added.

Or this one in The Economist A cyber-missile aimed at Iran?

But the possibility that it might have been aimed at one set of industrial-control systems in particular—those inside Iranian nuclear facilities—has prompted one security expert to describe Stuxnet as a "cyber-missile", designed to seek out and destroy a particular target. Its unusual sophistication, meanwhile, has prompted speculation that it is the work of a well-financed team working for a nation state, rather than a group of rogue hackers trying to steal industrial secrets or cause trouble. This, in turn, has led to suggestions that Israel, known for its high-tech prowess and (ahem) deep suspicion of Iran's nuclear programme, might be behind it. But it is difficult to say how much truth there is in this juicy theory.

Are we witnessing the first visible stages of the war against the Iranian nuclear sites?  Although the worm can apparently be patched I can imagine the level of concern that is spreading among the Iranians is significant.  Will it take 30 years to find out what has happened? 

Is Israel involved?  Should we be surprised if it were?  Not really. One just needs to read the book Start-Up Nation by Dan Senor and Saul Singer to get the magnitude of Israel’s achievement in computer technology in the last 30 years.   The 8088 chip used in the original IBM PC was designed in Haifa, the 386 in Jerusalem. Centrino and Core 2 Duo, and most of the  Intel’s forty new processors over a one-hundred-day period were based on Intel’s Israeli team’s design.  

Is stuxnet just the tip of the iceberg?  Will computer know-how play the same role Ultra played in the Second World War?  Let’s hope so. Is the ingenuity, innovation and chutzpah that made the Israeli computer revolution possible now being utilized to counter the Iranian threat?  Apparently.
There is a difference. The scientific and technological achievement of both sides during Word War II was comparable.  Britain had the radar and Alan Turing, the Americans the Manhattan project. The Germans had Karl Zuse, who invented the first electro-mechanical computer and Wernher von Braun.  Today the difference is between a country (or countries) that virtually invented the technology and one that is still learning how to use it. Let’s hope that this difference will prove crucial.